dependabot-python 0.369.0 → 0.370.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 64cdd01e07bc2f6472a1027884006af4c7df3648168f04135c7b91cdf5530f14
-  data.tar.gz: b5610dc0420858f42cb23a8462abcd7ebd4b9b1aab8be3ca28233a99c239982c
+  metadata.gz: 67c1d482dda68f38a7bbc7ea74f0d4cc206debd5c3f0704905911b05f04e4b2f
+  data.tar.gz: bb39f9c0055c2ab9a86d8a2138676c69fbac55e52c45a7a261b7af5b94c28042
 SHA512:
-  metadata.gz: f4cb556708bba8d54dc3d04495d021e4808cf5651184ed9fe2d1b65d6b1114c688f92d9be8ab8fae6e96d818643ce4c4824db5971dc2fabf55370b6ffff26f39
-  data.tar.gz: 64514c6fad289e34af6bdbaeecc25f8ff815ba193d77088a86fa3399c9379ab1cad740ff0f18ae0ac176e85375714e15f36ceae638b96d6e2714f425ce86cd96
+  metadata.gz: 9d0def98050153cafb8f4ce61c39495fd8b24f82f4ca8a4d62f158b86bfa9a695016520b92c4b54025d1df9a5c98be6eb5bba723e54846e3c449feee86d7fa28
+  data.tar.gz: 715ae0908b35409adb0a67afb7aa5c6ca1cbb6036ae596719a8ef5afbe3b326571850a4b026820541e56c1ad70afd9a960cf7a796cf4a1b1986f2e4bb26531b6

data/helpers/lib/parser.py

@@ -32,6 +32,30 @@ def parse_pep621_pep735_dependencies(pyproject_path):
                 next(iter(specifier_set)).operator in {"==", "==="}):
             return next(iter(specifier_set)).version
 
+    def original_requirement_from_entry(entry, req):
+        """Extract the original requirement string.
+
+        The packaging library normalizes specifiers
+        (removes spaces, reorders operators), but we
+        need the original so the file updater regex
+        can match the file content.
+        """
+        # Strip the name (and any extras like [filecache]) from the start
+        remainder = entry[len(req.name):].strip()
+
+        # Strip extras bracket if present, e.g. [filecache]
+        if remainder.startswith("["):
+            close = remainder.index("]")
+            remainder = remainder[close + 1:].strip()
+
+        # Strip markers from the end, e.g. "; python_version < '3.4'"
+        if req.marker:
+            marker_pos = remainder.find(";")
+            if marker_pos != -1:
+                remainder = remainder[:marker_pos].strip()
+
+        return remainder
+
     def parse_requirement(entry, pyproject_path, requirement_type=None):
         try:
             req = Requirement(entry)
@@ -45,6 +69,8 @@ def parse_pep621_pep735_dependencies(pyproject_path):
                 "markers": str(req.marker) or None,
                 "file": pyproject_path,
                 "requirement": str(req.specifier),
+                "source_requirement":
+                    original_requirement_from_entry(entry, req),
                 "extras": sorted(list(req.extras)),
                 "requirement_type": requirement_type,
             }

data/helpers/test/fixtures/pep621_spaced_specifiers.toml

@@ -0,0 +1,10 @@
+[project]
+name = "myapp"
+version = "1.0.0"
+
+dependencies = [
+    "requests >= 2.13.0, < 3.0",
+    "urllib3 == 1.26.0",
+    "cachecontrol[filecache] >= 0.14.0",
+    "idna >= 2.5 ; python_version < '3.0'",
+]

data/helpers/test/test_parser.py

@@ -182,3 +182,84 @@ class TestEdgeCases:
         # Both groups should be processed without infinite recursion
         assert "requests" in names
         assert "flask" in names
+
+
+# ---------------------------------------------------------------------------
+# source_requirement — preserves original specifier string from the TOML
+# ---------------------------------------------------------------------------
+class TestSourceRequirement:
+    def test_simple_specifier_preserves_order(self):
+        deps = parse("pep621_dependencies.toml")
+        requests = find_dep(deps, "requests")
+        # Original: "requests>=2.13.0,<3.0" — order preserved
+        assert requests["source_requirement"] == ">=2.13.0,<3.0"
+        # Normalized by packaging: "<3.0,>=2.13.0" (alphabetical by operator)
+        assert requests["requirement"] == "<3.0,>=2.13.0"
+
+    def test_exact_version(self):
+        deps = parse("pep621_dependencies.toml")
+        urllib3 = find_dep(deps, "urllib3")
+        assert urllib3["source_requirement"] == "==1.26.0"
+
+    def test_extras_stripped_from_source(self):
+        deps = parse("pep621_extras.toml")
+        cc = find_dep(deps, "cachecontrol")
+        assert cc["source_requirement"] == ">=0.14.0"
+
+    def test_markers_stripped_from_source(self):
+        deps = parse("pep621_markers.toml")
+        requests = find_dep(deps, "requests")
+        assert requests["source_requirement"] == ">=2.13.0"
+
+    def test_no_version_specifier(self):
+        deps = parse("pep621_no_version.toml")
+        requests = find_dep(deps, "requests")
+        assert requests["source_requirement"] == ""
+
+    def test_multiple_extras_stripped(self):
+        deps = parse("pep621_multiple_extras.toml")
+        boto3 = find_dep(deps, "boto3")
+        assert boto3["source_requirement"] == ">=1.28.0"
+
+    def test_arbitrary_equality(self):
+        deps = parse("pep621_arbitrary_equality.toml")
+        numpy = find_dep(deps, "numpy")
+        assert numpy["source_requirement"] == "===1.24.0rc1"
+
+    def test_spaced_specifiers_preserved(self):
+        deps = parse("pep621_spaced_specifiers.toml")
+        requests = find_dep(deps, "requests")
+        # Spaces are preserved from the original entry
+        assert requests["source_requirement"] == ">= 2.13.0, < 3.0"
+
+    def test_spaced_exact_version_preserved(self):
+        deps = parse("pep621_spaced_specifiers.toml")
+        urllib3 = find_dep(deps, "urllib3")
+        assert urllib3["source_requirement"] == "== 1.26.0"
+
+    def test_spaced_extras_and_specifier(self):
+        deps = parse("pep621_spaced_specifiers.toml")
+        cc = find_dep(deps, "cachecontrol")
+        assert cc["source_requirement"] == ">= 0.14.0"
+
+    def test_spaced_specifier_with_markers(self):
+        deps = parse("pep621_spaced_specifiers.toml")
+        idna = find_dep(deps, "idna")
+        # Markers stripped, original spacing kept
+        assert idna["source_requirement"] == ">= 2.5"
+
+    def test_optional_deps_with_spaces(self):
+        deps = parse("pep621_dependencies.toml")
+        pysocks = find_dep(deps, "PySocks")
+        # Original: "PySocks >= 1.5.6, != 1.5.7, < 2"
+        assert pysocks["source_requirement"] == ">= 1.5.6, != 1.5.7, < 2"
+
+    def test_build_system_source_requirement(self):
+        deps = parse("pep621_dependencies.toml")
+        setuptools = find_dep(deps, "setuptools")
+        assert setuptools["source_requirement"] == ">=68.0"
+
+    def test_dependency_group_source_requirement(self):
+        deps = parse("pep735_dependency_groups.toml")
+        pytest_dep = find_dep(deps, "pytest")
+        assert pytest_dep["source_requirement"] == "==7.1.3"

data/lib/dependabot/python/dependency_grapher/lockfile_generator.rb

@@ -7,6 +7,7 @@ require "dependabot/dependency_file"
 require "dependabot/shared_helpers"
 require "dependabot/python/file_parser/python_requirement_parser"
 require "dependabot/python/language_version_manager"
+require "dependabot/python/poetry_plugin_installer"
 
 module Dependabot
   module Python
@@ -33,6 +34,10 @@ module Dependabot
             SharedHelpers.with_git_configured(credentials: credentials) do
               write_temporary_files
               language_version_manager.install_required_python
+
+              # Install any required Poetry plugins declared in pyproject.toml
+              poetry_plugin_installer.install_required_plugins
+
               run_poetry_lock
               read_generated_lockfile
             end
@@ -119,6 +124,14 @@ module Dependabot
           )
         end
 
+        sig { returns(PoetryPluginInstaller) }
+        def poetry_plugin_installer
+          @poetry_plugin_installer ||= T.let(
+            PoetryPluginInstaller.from_dependency_files(dependency_files),
+            T.nilable(PoetryPluginInstaller)
+          )
+        end
+
         sig { params(error: SharedHelpers::HelperSubprocessFailed).void }
         def handle_generation_error(error)
           Dependabot.logger.error(

data/lib/dependabot/python/file_parser/pyproject_files_parser.rb

@@ -25,6 +25,7 @@ module Dependabot
         sig { params(dependency_files: T::Array[Dependabot::DependencyFile]).void }
         def initialize(dependency_files:)
           @dependency_files = dependency_files
+          @dynamic_fields = T.let(nil, T.nilable(T::Array[String]))
         end
 
         sig { returns(Dependabot::FileParsers::Base::DependencySet) }
@@ -84,16 +85,7 @@ module Dependabot
           return dependencies if using_pdm?
 
           parse_pep621_pep735_dependencies.each do |dep|
-            # If a requirement has a `<` or `<=` marker then updating it is
-            # probably blocked. Ignore it.
-            next if dep["markers"]&.include?("<")
-
-            # If no requirement, don't add it
-            next if dep["requirement"].empty?
-
-            # Skip build-system.requires dependencies when using Poetry
-            # Poetry manages its own build system dependencies
-            next if using_poetry? && dep["requirement_type"] == "build-system.requires"
+            next if skip_pep621_dep?(dep)
 
             dependencies <<
               Dependency.new(
@@ -106,7 +98,9 @@ module Dependabot
                   groups: [dep["requirement_type"]].compact
                 }],
                 package_manager: "pip",
-                metadata: extras_metadata(dep["extras"])
+                metadata: extras_metadata(dep["extras"]).merge(
+                  source_requirement: dep["source_requirement"]
+                ).compact
               )
           end
 
@@ -229,6 +223,43 @@ module Dependabot
           using_pep621? && pdm_lock
         end
 
+        sig { returns(T::Array[String]) }
+        def dynamic_fields
+          @dynamic_fields ||= parsed_pyproject.dig("project", "dynamic") || []
+        end
+
+        sig { params(dep: T::Hash[String, T.untyped]).returns(T::Boolean) }
+        def skip_pep621_dep?(dep)
+          # If a requirement has a `<` or `<=` marker then updating it is
+          # probably blocked. Ignore it.
+          return true if dep["markers"]&.include?("<")
+
+          # If no requirement, don't add it
+          return true if dep["requirement"].empty?
+
+          # Skip build-system.requires dependencies when using Poetry
+          # Poetry manages its own build system dependencies
+          return true if using_poetry? && dep["requirement_type"] == "build-system.requires"
+
+          # When dependencies or optional-dependencies are listed in project.dynamic,
+          # they are managed by the build backend (e.g. Poetry) — skip the PEP 621 path
+          dynamic_pep621_dep?(dep["requirement_type"])
+        end
+
+        sig { params(requirement_type: T.nilable(String)).returns(T::Boolean) }
+        def dynamic_pep621_dep?(requirement_type)
+          return false unless using_poetry?
+          return false unless requirement_type
+
+          if requirement_type == "dependencies"
+            dynamic_fields.include?("dependencies")
+          elsif parsed_pyproject.dig("project", "optional-dependencies")&.key?(requirement_type)
+            dynamic_fields.include?("optional-dependencies")
+          else
+            false
+          end
+        end
+
         # Create a DependencySet where each element has no requirement. Any
         # requirements will be added when combining the DependencySet with
         # other DependencySets.

data/lib/dependabot/python/file_parser.rb

@@ -1,6 +1,7 @@
 # typed: strict
 # frozen_string_literal: true
 
+require "toml-rb"
 require "dependabot/dependency"
 require "dependabot/file_parsers"
 require "dependabot/file_parsers/base"
@@ -110,7 +111,13 @@ module Dependabot
 
         return PipenvPackageManager.new(T.must(detect_pipenv_version)) if detect_pipenv_version
 
-        return PoetryPackageManager.new(T.must(detect_poetry_version)) if detect_poetry_version
+        poetry_version = detect_poetry_version
+        if poetry_version
+          return PoetryPackageManager.new(
+            poetry_version,
+            requires_poetry_version_constraint
+          )
+        end
 
         return PipCompilePackageManager.new(T.must(detect_pipcompile_version)) if detect_pipcompile_version
 
@@ -135,6 +142,19 @@ module Dependabot
         nil
       end
 
+      sig { returns(T.nilable(Dependabot::Python::Requirement)) }
+      def requires_poetry_version_constraint
+        return nil unless pyproject&.content
+
+        parsed = TomlRB.parse(T.must(pyproject).content)
+        constraint = parsed.dig("tool", "poetry", "requires-poetry")
+        return nil unless constraint.is_a?(String) && !constraint.strip.empty?
+
+        Dependabot::Python::Requirement.new(constraint.strip)
+      rescue TomlRB::ParseError, TomlRB::ValueOverwriteError, Gem::Requirement::BadRequirementError
+        nil
+      end
+
       # Detects the version of pip-compile. If the version cannot be detected, it returns nil
       sig { returns(T.nilable(String)) }
       def detect_pipcompile_version

data/lib/dependabot/python/file_updater/poetry_file_updater/pep621_updater.rb

@@ -0,0 +1,162 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+require "dependabot/python/file_updater/poetry_file_updater"
+
+module Dependabot
+  module Python
+    class FileUpdater
+      class PoetryFileUpdater
+        class Pep621Updater
+          extend T::Sig
+
+          sig { params(dep: Dependabot::Dependency).void }
+          def initialize(dep:)
+            @dep = dep
+          end
+
+          sig do
+            params(
+              content: String,
+              new_r: T::Hash[Symbol, T.untyped],
+              old_r: T::Hash[Symbol, T.untyped]
+            ).returns(T.nilable(String))
+          end
+          def replace(content, new_r, old_r)
+            source_req = dep.metadata[:source_requirement]
+
+            if source_req
+              replace_with_source_requirement(content, source_req, new_r, old_r)
+            else
+              replace_with_normalized_requirement(content, new_r, old_r)
+            end
+          end
+
+          sig { params(source_req: String, old_req: String, new_req: String).returns(String) }
+          def rewrite_pep508_requirement(source_req, old_req, new_req)
+            old_specifiers = parse_specifiers(old_req)
+            new_specifiers = parse_specifiers(new_req)
+
+            old_versions_by_op = group_versions_by_operator(old_specifiers)
+            new_versions_by_op = group_versions_by_operator(new_specifiers)
+
+            replacements = T.let([], T::Array[T::Hash[Symbol, String]])
+            new_versions_by_op.each do |operator, new_versions|
+              old_versions = old_versions_by_op[operator]
+              next unless old_versions
+              next unless old_versions.length == new_versions.length
+
+              old_versions.zip(new_versions).each do |old_version, new_version|
+                next if old_version == new_version
+
+                replacements << {
+                  operator: operator,
+                  old_version: old_version,
+                  new_version: T.must(new_version)
+                }
+              end
+            end
+
+            result = source_req.dup
+            replacements.each do |replacement|
+              op = Regexp.escape(T.must(replacement[:operator]))
+              ver = Regexp.escape(T.must(replacement[:old_version]))
+              result = result.sub(/(#{op}\s*)#{ver}/, "\\1#{replacement[:new_version]}")
+            end
+            result
+          end
+
+          sig { params(specifiers: T::Array[T::Hash[Symbol, String]]).returns(T::Hash[String, T::Array[String]]) }
+          def group_versions_by_operator(specifiers)
+            specifiers.each_with_object(
+              T.let({}, T::Hash[String, T::Array[String]])
+            ) do |specifier, grouped_versions|
+              operator = T.must(specifier[:operator])
+              version = T.must(specifier[:version])
+
+              grouped_versions[operator] ||= []
+              T.must(grouped_versions[operator]) << version
+            end
+          end
+
+          sig { params(req: String).returns(T::Array[T::Hash[Symbol, String]]) }
+          def parse_specifiers(req)
+            req.scan(/([!<>=~]+)\s*([^\s,]+)/).map do |op, ver|
+              { operator: op, version: ver }
+            end
+          end
+
+          private
+
+          sig { returns(Dependabot::Dependency) }
+          attr_reader :dep
+
+          sig do
+            params(
+              content: String,
+              source_req: String,
+              new_r: T::Hash[Symbol, T.untyped],
+              old_r: T::Hash[Symbol, T.untyped]
+            ).returns(T.nilable(String))
+          end
+          def replace_with_source_requirement(content, source_req, new_r, old_r)
+            match = content.match(declaration_regex(source_req))
+            return unless match
+
+            declaration = T.must(match[:declaration])
+            new_req_str = rewrite_pep508_requirement(source_req, old_r[:requirement], new_r[:requirement])
+            content.sub(declaration, declaration.sub(source_req, new_req_str))
+          end
+
+          # Fallback when source_requirement metadata is absent (e.g. after
+          # DependencySet merge or deserialization). Matches using the
+          # normalized requirement string, which may fail on whitespace
+          # differences but is better than skipping the update entirely.
+          sig do
+            params(
+              content: String,
+              new_r: T::Hash[Symbol, T.untyped],
+              old_r: T::Hash[Symbol, T.untyped]
+            ).returns(T.nilable(String))
+          end
+          def replace_with_normalized_requirement(content, new_r, old_r)
+            old_req = old_r[:requirement]
+            new_req = new_r[:requirement]
+
+            match = content.match(normalized_declaration_regex(old_req))
+            return unless match
+
+            declaration = T.must(match[:declaration])
+            return unless declaration.include?(old_req)
+
+            content.sub(declaration, declaration.sub(old_req, new_req))
+          end
+
+          sig { params(old_req: String).returns(Regexp) }
+          def declaration_regex(old_req)
+            /(?<declaration>["']#{escape}\s*#{extras_pattern}\s*#{Regexp.escape(old_req)}["'])/mi
+          end
+
+          sig { params(old_req: String).returns(Regexp) }
+          def normalized_declaration_regex(old_req)
+            /(?<declaration>["']#{escape}#{extras_pattern}#{Regexp.escape(old_req)}["'])/mi
+          end
+
+          sig { returns(String) }
+          def extras_pattern
+            extras_str = dep.metadata[:extras]
+            return "" unless extras_str.is_a?(String) && !extras_str.empty?
+
+            "\\[" + extras_str.split(",").map { |e| Regexp.escape(e.strip) }.join(",\\s*") + "\\]"
+          end
+
+          sig { returns(String) }
+          def escape
+            Regexp.escape(dep.name).gsub("\\-", "[-_.]")
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/python/file_updater/poetry_file_updater.rb

@@ -13,12 +13,14 @@ require "dependabot/python/file_parser/python_requirement_parser"
 require "dependabot/python/file_updater"
 require "dependabot/python/native_helpers"
 require "dependabot/python/name_normaliser"
+require "dependabot/python/poetry_plugin_installer"
 
 module Dependabot
   module Python
     class FileUpdater
       class PoetryFileUpdater
         require_relative "pyproject_preparer"
+        require_relative "poetry_file_updater/pep621_updater"
         extend T::Sig
 
         sig { returns(T::Array[Dependabot::DependencyFile]) }
@@ -49,6 +51,7 @@ module Dependabot
           @language_version_manager = T.let(nil, T.nilable(LanguageVersionManager))
           @python_requirement_parser = T.let(nil, T.nilable(FileParser::PythonRequirementParser))
           @updated_pyproject_content = T.let(nil, T.nilable(String))
+          @poetry_plugin_installer = T.let(nil, T.nilable(PoetryPluginInstaller))
           @poetry_lock = T.let(nil, T.nilable(Dependabot::DependencyFile))
         end
 
@@ -77,9 +80,7 @@ module Dependabot
               )
           end
 
-          raise "Expected lockfile to change!" if lockfile && lockfile&.content == updated_lockfile_content
-
-          if lockfile
+          if lockfile && lockfile&.content != updated_lockfile_content
             updated_files <<
               updated_file(file: T.must(lockfile), content: updated_lockfile_content)
           end
@@ -105,52 +106,51 @@ module Dependabot
           updated_content
         end
 
-        sig do
-          params(
-            dep: Dependabot::Dependency,
-            content: String,
-            new_r: T::Hash[Symbol, T.untyped],
-            old_r: T::Hash[Symbol, T.untyped]
-          ).returns(String)
-        end
+        sig { params(dep: Dependabot::Dependency, content: String, new_r: T::Hash[Symbol, T.untyped], old_r: T::Hash[Symbol, T.untyped]).returns(String) }
         def replace_dep(dep, content, new_r, old_r)
-          # Handle Git dependencies with tags
           return update_git_tag(dep, content, new_r, old_r) if git_dependency?(new_r) && git_dependency?(old_r)
 
+          replace_poetry_dep(dep, content, new_r, old_r) ||
+            replace_poetry_table_dep(dep, content, new_r, old_r) ||
+            replace_pep621_dep(dep, content, new_r, old_r) ||
+            content
+        end
+
+        sig { params(dep: Dependabot::Dependency, content: String, new_r: T::Hash[Symbol, T.untyped], old_r: T::Hash[Symbol, T.untyped]).returns(T.nilable(String)) }
+        def replace_poetry_dep(dep, content, new_r, old_r)
           new_req = new_r[:requirement]
           old_req = old_r[:requirement]
 
           declaration_regex = declaration_regex(dep, old_r)
           declaration_match = content.match(declaration_regex)
-          if declaration_match
-            declaration = declaration_match[:declaration]
-            if T.must(declaration).include?(old_req)
-              new_declaration = T.must(declaration).sub(old_req, new_req)
-              return content.sub(T.must(declaration), new_declaration)
-            end
-          end
+          return unless declaration_match
 
-          # Try Poetry table format
-          table_match = content.match(table_declaration_regex(dep, new_r))
-          if table_match
-            return content.gsub(table_declaration_regex(dep, new_r)) do |match|
-              match.gsub(
-                /(\s*version\s*=\s*["'])#{Regexp.escape(old_req)}/,
-                '\1' + new_req
-              )
-            end
-          end
+          declaration = declaration_match[:declaration]
+          return unless T.must(declaration).include?(old_req)
+
+          new_declaration = T.must(declaration).sub(old_req, new_req)
+          content.sub(T.must(declaration), new_declaration)
+        end
+
+        sig { params(dep: Dependabot::Dependency, content: String, new_r: T::Hash[Symbol, T.untyped], old_r: T::Hash[Symbol, T.untyped]).returns(T.nilable(String)) }
+        def replace_poetry_table_dep(dep, content, new_r, old_r)
+          old_req = old_r[:requirement]
+          new_req = new_r[:requirement]
+          regex = table_declaration_regex(dep, new_r)
+
+          return unless content.match(regex)
 
-          # Try PEP 621 array format (e.g., dependencies = ["django==5.0.0"])
-          pep621_regex = pep621_declaration_regex(dep, old_req)
-          pep621_match = content.match(pep621_regex)
-          if pep621_match
-            declaration = pep621_match[:declaration]
-            new_declaration = T.must(declaration).sub(old_req, new_req)
-            return content.sub(T.must(declaration), new_declaration)
+          content.gsub(regex) do |match|
+            match.gsub(
+              /(\s*version\s*=\s*["'])#{Regexp.escape(old_req)}/,
+              '\1' + new_req
+            )
           end
+        end
 
-          content
+        sig { params(dep: Dependabot::Dependency, content: String, new_r: T::Hash[Symbol, T.untyped], old_r: T::Hash[Symbol, T.untyped]).returns(T.nilable(String)) }
+        def replace_pep621_dep(dep, content, new_r, old_r)
+          Pep621Updater.new(dep: dep).replace(content, new_r, old_r)
         end
 
         sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Boolean) }
@@ -158,14 +158,7 @@ module Dependabot
           req.dig(:source, :type) == "git"
         end
 
-        sig do
-          params(
-            dep: Dependabot::Dependency,
-            content: String,
-            new_r: T::Hash[Symbol, T.untyped],
-            old_r: T::Hash[Symbol, T.untyped]
-          ).returns(String)
-        end
+        sig { params(dep: Dependabot::Dependency, content: String, new_r: T::Hash[Symbol, T.untyped], old_r: T::Hash[Symbol, T.untyped]).returns(String) }
         def update_git_tag(dep, content, new_r, old_r)
           old_tag = old_r.dig(:source, :ref)
           new_tag = new_r.dig(:source, :ref)
@@ -302,6 +295,7 @@ module Dependabot
               add_auth_env_vars
 
               language_version_manager.install_required_python
+              poetry_plugin_installer.install_required_plugins
 
               # use system git instead of the pure Python dulwich
               run_poetry_command("pyenv exec poetry config system-git-client true")
@@ -350,17 +344,7 @@ module Dependabot
             .add_auth_env_vars(credentials)
         end
 
-        sig do
-          params(
-            pyproject_content: String
-          ).returns(T.nilable(
-                      T.any(
-                        T::Hash[String, T.untyped],
-                        String,
-                        T::Array[T::Hash[String, T.untyped]]
-                      )
-                    ))
-        end
+        sig { params(pyproject_content: String).returns(T.nilable(T.any(T::Hash[String, T.untyped], String, T::Array[T::Hash[String, T.untyped]]))) }
         def pyproject_hash_for(pyproject_content)
           SharedHelpers.in_a_temporary_directory do |dir|
             SharedHelpers.with_git_configured(credentials: credentials) do
@@ -388,20 +372,6 @@ module Dependabot
           /tool\.poetry\.#{old_req[:groups].first}\.#{escape(dep)}\](?:\r?\n).*?\s*version\s* =.*?(?:\r?\n)/m
         end
 
-        sig { params(dep: Dependabot::Dependency, old_req: String).returns(Regexp) }
-        def pep621_declaration_regex(dep, old_req)
-          /(?<declaration>["']#{escape(dep)}#{extras_pattern(dep)}#{Regexp.escape(old_req)}["'])/mi
-        end
-
-        # Reconstructs extras from metadata for PEP 621 regex matching.
-        sig { params(dep: Dependabot::Dependency).returns(String) }
-        def extras_pattern(dep)
-          extras_str = dep.metadata[:extras]
-          return "" unless extras_str.is_a?(String) && !extras_str.empty?
-
-          "\\[" + extras_str.split(",").map { |e| Regexp.escape(e.strip) }.join(",\\s*") + "\\]"
-        end
-
         sig { params(dep: Dependency).returns(String) }
         def escape(dep)
           Regexp.escape(dep.name).gsub("\\-", "[-_.]")
@@ -448,6 +418,14 @@ module Dependabot
             )
         end
 
+        sig { returns(PoetryPluginInstaller) }
+        def poetry_plugin_installer
+          @poetry_plugin_installer ||= T.let(
+            PoetryPluginInstaller.from_dependency_files(dependency_files),
+            T.nilable(PoetryPluginInstaller)
+          )
+        end
+
         sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def pyproject
           @pyproject ||=

data/lib/dependabot/python/file_updater/pyproject_preparer.rb

@@ -16,29 +16,28 @@ module Dependabot
       class PyprojectPreparer
         extend T::Sig
 
-        # Builds a regex pattern that matches a PEP 508 package name,
-        # treating hyphens, underscores, and dots as interchangeable per PEP 508.
-        sig { params(name: String).returns(String) }
-        def self.pep508_name_pattern(name)
-          Regexp.escape(name).gsub("\\-", "[-_.]").gsub("_", "[-_.]").gsub("\\.", "[-_.]")
-        end
-        private_class_method :pep508_name_pattern
+        # Fixed regex for extracting the name+extras prefix from a PEP 508 entry.
+        # Does not interpolate library input, avoiding polynomial backtracking.
+        PEP508_PREFIX = T.let(
+          /\A(?<prefix>(?<name>[a-zA-Z0-9](?:[a-zA-Z0-9._-]*[a-zA-Z0-9])?)(?:\[[^\]]*\])?)/i,
+          Regexp
+        )
 
         # Pins a single PEP 508 dependency entry string to a specific version,
         # preserving extras and environment markers.
-        sig { params(entry: String, name_pattern: String, version: String).returns(String) }
-        def self.pin_pep508_entry(entry, name_pattern, version)
-          if entry.match?(/\A#{name_pattern}(\[.*?\])?\s*[><=!~]/i)
-            entry.sub(
-              /(?<pre>#{name_pattern}(?:\[.*?\])?)\s*[><=!~][^;]*?(?=\s*;|\s*\z)/i,
-              "\\k<pre>==#{version}"
-            )
-          else
-            entry.sub(
-              /(?<pre>#{name_pattern}(?:\[.*?\])?)(?<rest>\s*(?:;.*)?)/i,
-              "\\k<pre>==#{version}\\k<rest>"
-            )
-          end
+        sig { params(entry: String, version: String).returns(String) }
+        def self.pin_pep508_entry(entry, version)
+          prefix_match = entry.match(PEP508_PREFIX)
+          return entry unless prefix_match
+
+          prefix = T.must(prefix_match[:prefix])
+          rest = T.must(entry[prefix.length..])
+
+          # Extract the environment marker ("; ..." suffix) if present
+          marker_match = rest.match(/(\s*;.*)/)
+          marker = marker_match ? marker_match[1] : ""
+
+          "#{prefix}==#{version}#{marker}"
         end
         private_class_method :pin_pep508_entry
 
@@ -79,12 +78,14 @@ module Dependabot
 
         sig { params(dep_arrays: T::Array[T::Array[String]], dep: Dependabot::Dependency).void }
         def self.pin_pep621_dep_in_arrays!(dep_arrays, dep)
-          name_pattern = pep508_name_pattern(dep.name)
+          normalised_name = NameNormaliser.normalise(dep.name)
           dep_arrays.each do |arr|
             arr.each_with_index do |entry, i|
-              next unless entry.match?(/\A#{name_pattern}(\[.*?\])?\s*(\z|[><=!~;,])/i)
+              match = entry.match(PEP508_PREFIX)
+              next unless match
+              next unless NameNormaliser.normalise(T.must(match[:name])) == normalised_name
 
-              arr[i] = pin_pep508_entry(entry, name_pattern, T.must(dep.version))
+              arr[i] = pin_pep508_entry(entry, T.must(dep.version))
             end
           end
         end
@@ -138,8 +139,8 @@ module Dependabot
             .gsub('#{', "{")
         end
 
-        # rubocop:disable Metrics/PerceivedComplexity
-        # rubocop:disable Metrics/AbcSize
+        UNSUPPORTED_SOURCE_TYPES = T.let(%w(directory file url).freeze, T::Array[String])
+
         sig { params(dependencies: T::Array[Dependabot::Dependency]).returns(String) }
         def freeze_top_level_dependencies_except(dependencies)
           return pyproject_content unless lockfile
@@ -154,32 +155,10 @@ module Dependabot
           Dependabot::Python::FileParser::PyprojectFilesParser::POETRY_DEPENDENCY_TYPES.each do |key|
             next unless poetry_object[key]
 
-            source_types = %w(directory file url)
             poetry_object.fetch(key).each do |dep_name, _|
               next if excluded_names.include?(normalise(dep_name))
 
-              locked_details = locked_details(dep_name)
-
-              next unless (locked_version = locked_details&.fetch("version"))
-
-              next if source_types.include?(locked_details.dig("source", "type"))
-
-              if locked_details.dig("source", "type") == "git"
-                poetry_object[key][dep_name] = {
-                  "git" => locked_details.dig("source", "url"),
-                  "rev" => locked_details.dig("source", "reference")
-                }
-                subdirectory = locked_details.dig("source", "subdirectory")
-                poetry_object[key][dep_name]["subdirectory"] = subdirectory if subdirectory
-              elsif poetry_object[key][dep_name].is_a?(Hash)
-                poetry_object[key][dep_name]["version"] = locked_version
-              elsif poetry_object[key][dep_name].is_a?(Array)
-                # if it has multiple-constraints, locking to a single version is
-                # going to result in a bad lockfile, ignore
-                next
-              else
-                poetry_object[key][dep_name] = locked_version
-              end
+              freeze_poetry_dep!(poetry_object[key], dep_name)
             end
           end
 
@@ -188,8 +167,6 @@ module Dependabot
 
           TomlRB.dump(pyproject_object)
         end
-        # rubocop:enable Metrics/AbcSize
-        # rubocop:enable Metrics/PerceivedComplexity
 
         private
 
@@ -199,6 +176,33 @@ module Dependabot
         sig { returns(T.nilable(Dependabot::DependencyFile)) }
         attr_reader :lockfile
 
+        sig { params(deps_hash: T::Hash[String, T.untyped], dep_name: String).void }
+        def freeze_poetry_dep!(deps_hash, dep_name)
+          details = locked_details(dep_name)
+          return unless (locked_version = details&.fetch("version"))
+
+          source_type = details.dig("source", "type")
+          return if UNSUPPORTED_SOURCE_TYPES.include?(source_type)
+
+          if source_type == "git"
+            freeze_git_dep!(deps_hash, dep_name, details)
+          elsif deps_hash[dep_name].is_a?(Hash)
+            deps_hash[dep_name]["version"] = locked_version
+          elsif !deps_hash[dep_name].is_a?(Array)
+            deps_hash[dep_name] = locked_version
+          end
+        end
+
+        sig { params(deps_hash: T::Hash[String, T.untyped], dep_name: String, details: T::Hash[String, T.untyped]).void }
+        def freeze_git_dep!(deps_hash, dep_name, details)
+          deps_hash[dep_name] = {
+            "git" => details.dig("source", "url"),
+            "rev" => details.dig("source", "reference")
+          }
+          subdirectory = details.dig("source", "subdirectory")
+          deps_hash[dep_name]["subdirectory"] = subdirectory if subdirectory
+        end
+
         sig { params(pyproject_object: T::Hash[String, T.untyped], excluded_names: T::Array[String]).void }
         def freeze_pep621_top_level_deps!(pyproject_object, excluded_names)
           project_object = pyproject_object["project"]
@@ -226,8 +230,7 @@ module Dependabot
             locked_details = locked_details(dep_name)
             next unless (locked_version = locked_details&.fetch("version"))
 
-            name_pattern = self.class.send(:pep508_name_pattern, T.must(match[1]))
-            dep_array[index] = self.class.send(:pin_pep508_entry, entry, name_pattern, locked_version)
+            dep_array[index] = self.class.send(:pin_pep508_entry, entry, locked_version)
           end
         end
 

data/lib/dependabot/python/package_manager.rb

@@ -86,6 +86,22 @@ module Dependabot
       def unsupported?
         false
       end
+
+      # Poetry supports requires-poetry constraints in pyproject.toml;
+      # other Python package managers don't have an equivalent mechanism.
+      sig { override.void }
+      def raise_if_unsupported!
+        super
+        return unless requirement
+        return unless version
+        return if T.cast(T.must(requirement).satisfied_by?(T.must(version)), T::Boolean)
+
+        raise Dependabot::ToolVersionNotSupported.new(
+          NAME,
+          version.to_s,
+          requirement.to_s
+        )
+      end
     end
 
     class PipCompilePackageManager < Dependabot::Ecosystem::VersionManager

data/lib/dependabot/python/poetry_plugin_installer.rb

@@ -0,0 +1,95 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "shellwords"
+require "sorbet-runtime"
+require "toml-rb"
+require "dependabot/dependency_file"
+require "dependabot/errors"
+require "dependabot/shared_helpers"
+
+module Dependabot
+  module Python
+    class PoetryPluginInstaller
+      extend T::Sig
+
+      # Only allow valid PyPI package names to prevent command injection
+      VALID_PLUGIN_NAME = /\A[a-zA-Z0-9]([a-zA-Z0-9._-]*[a-zA-Z0-9])?\z/
+
+      # Only allow valid version constraint characters to prevent command injection
+      VALID_CONSTRAINT = /\A[a-zA-Z0-9.*,!=<>~^ ]+\z/
+
+      sig { params(dependency_files: T::Array[Dependabot::DependencyFile]).returns(PoetryPluginInstaller) }
+      def self.from_dependency_files(dependency_files)
+        pyproject_content = dependency_files.find { |f| f.name == "pyproject.toml" }&.content
+        new(pyproject_content: pyproject_content)
+      end
+
+      sig { params(pyproject_content: T.nilable(String)).void }
+      def initialize(pyproject_content:)
+        @pyproject_content = T.let(pyproject_content, T.nilable(String))
+        @plugins_installed = T.let(false, T::Boolean)
+      end
+
+      sig { void }
+      def install_required_plugins
+        return if @plugins_installed
+
+        required_plugins.each do |name, constraint|
+          install_plugin(name, constraint)
+        end
+
+        @plugins_installed = true
+      end
+
+      private
+
+      sig { returns(T.nilable(String)) }
+      attr_reader :pyproject_content
+
+      sig { returns(T::Hash[String, String]) }
+      def required_plugins
+        return {} unless pyproject_content
+
+        parsed = TomlRB.parse(pyproject_content)
+        plugins = parsed.dig("tool", "poetry", "requires-plugins")
+        return {} unless plugins.is_a?(Hash)
+
+        plugins.each_with_object({}) do |(name, constraint), result|
+          next unless name.is_a?(String) && constraint.is_a?(String)
+          next unless valid_plugin_name?(name)
+          next unless valid_constraint?(constraint)
+
+          result[name] = constraint
+        end
+      rescue TomlRB::ParseError, TomlRB::ValueOverwriteError
+        {}
+      end
+
+      sig { params(name: String).returns(T::Boolean) }
+      def valid_plugin_name?(name)
+        VALID_PLUGIN_NAME.match?(name)
+      end
+
+      sig { params(constraint: String).returns(T::Boolean) }
+      def valid_constraint?(constraint)
+        VALID_CONSTRAINT.match?(constraint)
+      end
+
+      sig { params(name: String, constraint: String).void }
+      def install_plugin(name, constraint)
+        Dependabot.logger.info("Installing Poetry plugin: #{name}@#{constraint}")
+
+        escaped = Shellwords.shellescape("#{name}@#{constraint}")
+        SharedHelpers.run_shell_command(
+          "pyenv exec poetry self add #{escaped}",
+          fingerprint: "pyenv exec poetry self add <plugin_name>@<constraint>"
+        )
+      rescue SharedHelpers::HelperSubprocessFailed => e
+        Dependabot.logger.warn(
+          "Failed to install Poetry plugin #{name}@#{constraint}: #{e.message}"
+        )
+      end
+    end
+  end
+end

data/lib/dependabot/python/update_checker/poetry_version_resolver.rb

@@ -18,6 +18,7 @@ require "dependabot/python/requirement"
 require "dependabot/python/native_helpers"
 require "dependabot/python/authed_url_builder"
 require "dependabot/python/name_normaliser"
+require "dependabot/python/poetry_plugin_installer"
 
 module Dependabot
   module Python
@@ -90,6 +91,7 @@ module Dependabot
           @original_reqs_resolvable = T.let(nil, T.nilable(T::Boolean))
           @python_requirement_parser = T.let(nil, T.nilable(FileParser::PythonRequirementParser))
           @language_version_manager = T.let(nil, T.nilable(LanguageVersionManager))
+          @poetry_plugin_installer = T.let(nil, T.nilable(PoetryPluginInstaller))
         end
 
         sig { params(requirement: T.nilable(String)).returns(T.nilable(Dependabot::Python::Version)) }
@@ -129,6 +131,9 @@ module Dependabot
 
                 language_version_manager.install_required_python
 
+                # Install any required Poetry plugins declared in pyproject.toml
+                poetry_plugin_installer.install_required_plugins
+
                 # use system git instead of the pure Python dulwich
                 run_poetry_command("pyenv exec poetry config system-git-client true")
 
@@ -385,6 +390,14 @@ module Dependabot
           poetry_lock
         end
 
+        sig { returns(PoetryPluginInstaller) }
+        def poetry_plugin_installer
+          @poetry_plugin_installer ||= T.let(
+            PoetryPluginInstaller.from_dependency_files(dependency_files),
+            T.nilable(PoetryPluginInstaller)
+          )
+        end
+
         sig { params(command: String, fingerprint: T.nilable(String)).returns(String) }
         def run_poetry_command(command, fingerprint: nil)
           SharedHelpers.run_shell_command(command, fingerprint: fingerprint)

data/lib/dependabot/python/update_checker/requirements_updater.rb

@@ -11,11 +11,13 @@ require "dependabot/requirements_update_strategy"
 module Dependabot
   module Python
     class UpdateChecker
+      # rubocop:disable Metrics/ClassLength
       class RequirementsUpdater
         extend T::Sig
 
         PYPROJECT_OR_SEPARATOR = T.let(/(?<=[a-zA-Z0-9*])\s*\|+/, Regexp)
         PYPROJECT_SEPARATOR = T.let(/#{PYPROJECT_OR_SEPARATOR}|,/, Regexp)
+        LOWER_BOUND_OPS = T.let(%w(> >=).freeze, T::Array[String])
 
         class UnfixableRequirement < StandardError; end
 
@@ -111,13 +113,25 @@ module Dependabot
         def updated_pyproject_requirement(req)
           return req unless latest_resolvable_version
           return req unless req.fetch(:requirement)
-          return req if new_version_satisfies?(req) && !has_lockfile
+          return req if skip_pyproject_update?(req)
 
+          pyproject_update_for_strategy(req)
+        rescue UnfixableRequirement
+          req.merge(requirement: :unfixable)
+        end
+
+        sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Boolean) }
+        def skip_pyproject_update?(req)
+          new_version_satisfies?(req) && !has_lockfile &&
+            update_strategy != RequirementsUpdateStrategy::BumpVersions
+        end
+
+        sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
+        def pyproject_update_for_strategy(req)
           # If the requirement uses || syntax then we always want to widen it
           return widen_pyproject_requirement(req) if req.fetch(:requirement).match?(PYPROJECT_OR_SEPARATOR)
 
-          # If the requirement is a development dependency we always want to
-          # bump it
+          # If the requirement is a development dependency we always want to bump it
           return update_pyproject_version(req) if req.fetch(:groups).include?("dev-dependencies")
 
           case update_strategy
@@ -126,37 +140,40 @@ module Dependabot
           when RequirementsUpdateStrategy::BumpVersionsIfNecessary then update_pyproject_version_if_needed(req)
           else raise "Unexpected update strategy: #{update_strategy}"
           end
-        rescue UnfixableRequirement
-          req.merge(requirement: :unfixable)
         end
 
         sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
         def update_pyproject_version_if_needed(req)
           return req if new_version_satisfies?(req)
 
-          update_pyproject_version(req)
+          update_pyproject_version_core(req, bump_lower_bound: false)
         end
 
         sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
         def update_pyproject_version(req)
+          return req if req[:requirement] == "*"
+
+          update_pyproject_version_core(req, bump_lower_bound: true)
+        end
+
+        sig do
+          params(
+            req: T::Hash[Symbol, T.untyped],
+            bump_lower_bound: T::Boolean
+          ).returns(T::Hash[Symbol, T.untyped])
+        end
+        def update_pyproject_version_core(req, bump_lower_bound:)
           requirement_strings = req[:requirement].split(",").map(&:strip)
 
           new_requirement =
             if requirement_strings.any? { |r| r.match?(/^=|^\d/) }
-              # If there is an equality operator, just update that. It must
-              # be binding and any other requirements will be being ignored
               find_and_update_equality_match(requirement_strings)
             elsif requirement_strings.any? { |r| r.start_with?("~", "^") }
-              # If a compatibility operator is being used, just bump its
-              # version (and remove any other requirements)
               v_req = requirement_strings.find { |r| r.start_with?("~", "^") }
               bump_version(v_req, latest_resolvable_version.to_s)
-            elsif new_version_satisfies?(req)
-              # Otherwise we're looking at a range operator. No change
-              # required if it's already satisfied
-              req.fetch(:requirement)
+            elsif bump_lower_bound
+              bump_requirements_range(requirement_strings)
             else
-              # But if it's not, update it
               update_requirements_range(requirement_strings)
             end
 
@@ -344,6 +361,59 @@ module Dependabot
             .sort_by { |r| requirement_class.new(r).requirements.first.last }.join(",").delete(" ")
         end
 
+        # Bumps the lower bound of a range requirement to the latest version
+        # Used by BumpVersions strategy to increase the minimum version
+        sig { params(requirement_strings: T::Array[String]).returns(String) }
+        def bump_requirements_range(requirement_strings)
+          ruby_requirements = requirement_strings.map { |r| requirement_class.new(r) }
+
+          validate_lower_bounds_not_too_high(ruby_requirements)
+
+          updated_requirement_strings = ruby_requirements.map { |r| bump_single_requirement(r) }
+
+          updated_requirement_strings
+            .sort_by { |r| requirement_class.new(r).requirements.first.last }.join(",").delete(" ")
+        end
+
+        sig { params(ruby_requirements: T::Array[Dependabot::Python::Requirement]).void }
+        def validate_lower_bounds_not_too_high(ruby_requirements)
+          ruby_requirements.each do |r|
+            op, version = r.requirements.first
+            raise UnfixableRequirement if LOWER_BOUND_OPS.include?(op) && version > T.must(latest_resolvable_version)
+          end
+        end
+
+        sig { params(req: Dependabot::Python::Requirement).returns(String) }
+        def bump_single_requirement(req)
+          op, version = req.requirements.first
+
+          case op
+          when ">=" then ">=" + T.must(latest_resolvable_version).to_s
+          # Strict lower bound becomes inclusive because the resolved version
+          # is the exact target — using ">" would exclude it.
+          when ">" then ">=" + T.must(latest_resolvable_version).to_s
+          when "<" then bump_upper_bound_less_than(req, version)
+          when "<=" then bump_upper_bound_less_or_equal(req)
+          when "~>", "~=" then bump_version(req.to_s, T.must(latest_resolvable_version).to_s)
+          when "!=" then req.to_s
+          else req.to_s
+          end
+        end
+
+        sig { params(req: Dependabot::Python::Requirement, version: Gem::Version).returns(String) }
+        def bump_upper_bound_less_than(req, version)
+          return req.to_s if req.satisfied_by?(T.must(latest_resolvable_version))
+
+          "<" + update_greatest_version(version, T.must(latest_resolvable_version))
+        end
+
+        sig { params(req: Dependabot::Python::Requirement).returns(String) }
+        def bump_upper_bound_less_or_equal(req)
+          return req.to_s if req.satisfied_by?(T.must(latest_resolvable_version))
+
+          "<=" + T.must(latest_resolvable_version).to_s
+        end
+
         # Updates the version in a constraint to be the given version
         sig { params(req_string: String, version_to_be_permitted: String).returns(String) }
         def bump_version(req_string, version_to_be_permitted)
@@ -448,6 +518,7 @@ module Dependabot
           Python::Requirement
         end
       end
+      # rubocop:enable Metrics/ClassLength
     end
   end
 end

data/lib/dependabot/python/update_checker.rb

@@ -409,14 +409,18 @@ module Dependabot
       def check_pypi_for_library_match
         return false unless updating_pyproject? && library_details && !T.must(library_details)["name"].nil?
 
+        # If the project has a description in its pyproject.toml metadata, treat it as a
+        # library when PyPI is unavailable or the package isn't published there yet.
+        has_library_metadata = !T.must(library_details)["description"].nil?
+
         response = Dependabot::RegistryClient.get(
           url: "https://pypi.org/pypi/#{normalised_name(T.must(library_details)['name'])}/json/"
         )
-        return false unless response.status == 200
+        return has_library_metadata unless response.status == 200
 
         (JSON.parse(response.body)["info"] || {})["summary"] == T.must(library_details)["description"]
       rescue Excon::Error::Timeout, Excon::Error::Socket, URI::InvalidURIError
-        false
+        has_library_metadata
       end
 
       sig { returns(T::Boolean) }

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-python
 version: !ruby/object:Gem::Version
-  version: 0.369.0
+  version: 0.370.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.369.0
+        version: 0.370.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.369.0
+        version: 0.370.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -256,6 +256,7 @@ files:
 - helpers/test/fixtures/pep621_multiple_extras.toml
 - helpers/test/fixtures/pep621_no_version.toml
 - helpers/test/fixtures/pep621_only_build_system.toml
+- helpers/test/fixtures/pep621_spaced_specifiers.toml
 - helpers/test/fixtures/pep735_cycle.toml
 - helpers/test/fixtures/pep735_dependency_groups.toml
 - helpers/test/fixtures/requirements/constraints.txt
@@ -288,6 +289,7 @@ files:
 - lib/dependabot/python/file_updater/pipfile_manifest_updater.rb
 - lib/dependabot/python/file_updater/pipfile_preparer.rb
 - lib/dependabot/python/file_updater/poetry_file_updater.rb
+- lib/dependabot/python/file_updater/poetry_file_updater/pep621_updater.rb
 - lib/dependabot/python/file_updater/pyproject_preparer.rb
 - lib/dependabot/python/file_updater/requirement_file_updater.rb
 - lib/dependabot/python/file_updater/requirement_replacer.rb
@@ -302,6 +304,7 @@ files:
 - lib/dependabot/python/package_manager.rb
 - lib/dependabot/python/pip_compile_file_matcher.rb
 - lib/dependabot/python/pipenv_runner.rb
+- lib/dependabot/python/poetry_plugin_installer.rb
 - lib/dependabot/python/requirement.rb
 - lib/dependabot/python/requirement_parser.rb
 - lib/dependabot/python/shared_file_fetcher.rb
@@ -319,7 +322,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.369.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.370.0
 rdoc_options: []
 require_paths:
 - lib